Environment Variables
SaaS Box enforces strict, type-safe environment variable validation using Zod. If you attempt to start the server or build the application without a required variable, the process will immediately fail and explicitly tell you which key is missing.
Core Application
Fundamental variables required for basic routing, absolute URLs, and application state.
| Variable | Configuration & Retrieval |
|---|---|
| NEXT_PUBLIC_APP_URL | The public-facing URL used by client components to construct absolute paths, canonical SEO tags, and email links. Development: http://localhost:3000 Production: https://yourdomain.com |
| NEXT_PUBLIC_DEMO_MODE | A boolean flag used within the admin dashboard to populate mock data for demonstration purposes. If you are building a real production application, you can safely delete this variable and entirely remove its associated mock logic from the codebase. Value: true | false |
Database Configuration
Connection strings required by Drizzle ORM to interface with your Neon Tech serverless PostgreSQL instance.
| Variable | Configuration & Retrieval |
|---|---|
| DATABASE_URL | The secure connection string used by both the Next.js runtime and the Drizzle CLI.
|
Authentication Engine
Cryptographic secrets and OAuth credentials utilized by Better-Auth to issue secure, signed session tokens.
| Variable | Configuration & Retrieval |
|---|---|
| BETTER_AUTH_SECRET | A high-entropy cryptographic secret. Do not expose this to the client. You can generate this securely using the official Better-Auth CLI tool. npx @better-auth/cli secret |
| BETTER_AUTH_URL | The root URL of your application where the authentication API routes reside. Usually identical to NEXT_PUBLIC_APP_URL, but strictly enforced on the server to prevent callback hijacking. |
| GITHUB_CLIENT_ID GITHUB_CLIENT_SECRET | Required to enable GitHub OAuth login.
|
| GOOGLE_CLIENT_ID GOOGLE_CLIENT_SECRET | Required to enable Google OAuth login.
|
Billing & Subscriptions
Keys required to interact with the Polar.sh API for managing user subscriptions, processing payments, and verifying secure webhooks.
| Variable | Configuration & Retrieval |
|---|---|
| POLAR_ACCESS_TOKEN | The primary access token utilized by the backend to fetch subscription tiers and modify customer states.
|
| POLAR_WEBHOOK_SECRET | A cryptographic signature used to verify that incoming webhook payloads genuinely originate from Polar.sh.
|
| NEXT_PUBLIC_POLAR_PRO_PRODUCT_ID | The unique identifier for your primary paid subscription tier. Exposed to the client to dynamically generate checkout links.
|
Cloudflare R2 Storage
S3-compatible API credentials for securely uploading user avatars and storing general application assets without massive egress fees.
| Variable | Configuration & Retrieval |
|---|---|
| R2_ACCOUNT_ID | Your root Cloudflare Account ID.
|
| R2_ACCESS_KEY_ID R2_SECRET_ACCESS_KEY | S3 API credentials generated specifically for your storage bucket.
|
| R2_BUCKET_NAME | The literal string name of the bucket you created (e.g., |
| NEXT_PUBLIC_R2_DEV_URL | The public URL where your assets are served. Cloudflare provides a default .r2.dev URL, or you can map a custom domain. https://pub-xxxxxxxxxxxxx.r2.dev |
Email Delivery
Configuration for dispatching transactional emails such as password resets via Resend.
| Variable | Configuration & Retrieval |
|---|---|
| RESEND_API_KEY | The master key used to authenticate requests to the Resend API.
|
| EMAIL_FROM | The exact email address that will act as the sender for your transactional emails. If you have not verified a custom domain yet, you must use Resend's default testing email. Once verified, replace it with your production email address. Testing: onboarding@resend.dev Production: support@yourdomain.com |